On Jan, 17th 2013, the Department of Health and Human Services (HHS) released the Omnibus Final Rule which interprets and implements a variety of requirements in the Genetic Information Nondiscrimination Act of 2008 (GINA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).
HHS was required to make changes to the HIPAA Enforcement Rule and their approach to imposing civil money penalties (CMPs) for violations of the HITECH Act. Previously, civil penalties were only applied in extreme cases. However, as part of the HITECH Act, The Final Rule will increase the fines for civil penalties to include a tiered penalty structure that’s aligned with the nature and circumstances of the violation. The Rule:
- Increases the amount of CMPs,
- Reduces the number of available affirmative defenses to CMPs, and
- Requires imposition of CMPs for every violation caused by willful neglect.
On Oct 30th 2009, HHS issued an Interim Final Rule, along with a request for comments. HHS will continue to make a variety of revisions to the Interim Final Rule however the main guideline regarding the penalties will remain the same.
Determining The Amount Of A Civil Money Penalty
The Final Rule follows the penalty structure enacted by the HITECH Act for violations occurring after Feb 18, 2009. The amount of the penalty will increase with the level of culpability; the maximum penalty for violations of the same HIPAA provision is $1.5 million per year.
Before the HITECH Act, the imposition of CMPs under HIPAA was limited to a maximum of $100 per violation and $25,000 for all violations of identical prohibition or requirement that occurs within the same calendar year.
The tiered structure for imposition of CMPs under the HITECH Act and Final Rule categorizes the level of culpability into four separate violation categories:
1. Unknowing: The covered entity or business associate didn’t know, and reasonably couldn’t have known about the violation.
2. Reasonable Cause: The covered entity or business associate knew, or by using reasonable diligence would have known that the act or omission was a violation. The covered entity or business associate wasn’t acting with willful neglect.
3. Willful Neglect – Corrected: The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA. However, within 30 days of discovery, the covered entity or business associate corrected the violation.
4. Willful Neglect – Uncorrected: The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA. The violation wasn’t corrected within 30 days of discovery.
|Violation Category||Each Violation||Total CMP for Violations of an Identical Provision During the Same Calendar Year|
|Willful Neglect – Corrected||$10,000-$50,000||$1,500,000|
|Willful Neglect – Uncorrected||At least $50,000||$1,500,000|
According to the Final Rule, HHS doesn’t have the authority to immediately impose the maximum CMP for violations. When determining the amount of a CMP, HHS must consider the following:
- Previous compliance history, such as prior violations;
- The nature and extent of the violation, such as the number of individuals affected;
- The nature and extent of the harm that results from the violation, such as individuals’ reputation or financial harm; and
- The financial condition of the covered entity or business associate, such as whether financial issues kept the individual from complying.
Defenses to CMPs
The Final Rule decreases the ability of the Secretary of HHS to impose CMPs for specific HIPAA violations occurring after Feb 18th 2009. More specifically, the Secretary cannot impose CMPs for a violation that’s not due to willful neglect and has been corrected within 30 days of knowledge of the violation. However, this defense doesn’t apply for violations due to willful neglect.
A covered entity or business associate who discovers a violation that isn’t due to willful neglect should attempt to correct the violation within 30 days of the discovery. They should also document the date when the violation was discovered and the date when the violation was corrected.
The Final Rule also prohibits the imposition of CMPs for violations of HIPAA that have previously imposed a criminal penalty for the same conduct.
Waiver and Discretion
The Final Rule gives HHS final judgment if they’d like to waive a CMP for violations that aren’t due to willful neglect, in whole or in part, or if the penalty is disproportionate to the violation. The waiver reflects the tiered CMP structure; it provides a way to ensure that the amount of CMP reflects the level of culpability.
Additionally, CMPs aren’t the only remedy for violations of HIPAA. HHS can use other measures to address HIPAA violations such as resolving noncompliance or providing technical assistance. Before the Final Rule, HHS was required to resolve the issue through these informal means for all violations.
Under the Final Rule, HHS doesn’t have to make an attempt to informally settle complaints. They can simply determine whether they’d like to do so, or begin the formal penalty assessment process instead. HHS can also share information found during all investigations and compliance reviews with other law enforcement agencies.
CMPs for Acts by Business Associate Agents
According to the Final Rule, covered entities are liable for all violations by their business associates. It also states that business associates are liable for the acts of their agents.
In general, an agency relationship occurs when the agent’s actions can easily be directed or controlled during the course of performing their duties, regardless of whether actual control has occurred.
Although business associates are directly regulated under HIPAA, covered entities will still be held responsible for their business associates’ actions. Therefore, covered entities must ensure that they are HIPAA compliant through their business associate contracts, and business associates must do the same for their subcontractors.